security

SQL Injection, a problem that is avoidable {1}

by Willen L
In this article the author talks about SQL injection and how it’s been around for more than a decade and many companies do not know how to deal with it or not even implementing solutions to fix this widespread problem. SQL injection is a code injection technique that exploits vulnerability in websites software where arbitrary data is inserted in code that is executed by a database thus compromising the database. Hackers can use this information for Identity Fraud, which cost the US 4.7 billion every year. Knowing this, Microsoft has been giving tips for programmers on how to protect against SQL injection since 2005 but it hasn’t made much of a difference. The author states that this problem is going to rise with how fast technology moves and from the amount of people in the world in the future. It’s up to the individual companies IT managers to step in and access their systems to determine if they are vulnerable and to make security improvements to prevent attacks. The author states that if companies take the necessary precautions, they can prevent 87% of attacks. What the scary thing is that generally it takes about 6-8 months for the company to realize that their database has been breached… read more...

Dangers of SQL {2}

by Mike Y

The article goes over an incident where men stole credit card numbers and explains what SQL injections are. One Miami resident and two Russian men  were sentenced to 17-25 years in prison for stealing 130 million credit card numbers from Heartland Payment Systems. By using a SQL injection, they scammed the company out of $4 million. The article explains that an SQL injection embeds SQL commands or queries masked as a username. It goes on to say that SQL injections tend to target businesses and other organizations. A way to prevent it is to not accept SQL statements directly and instead to use “parameterized statements.” It is related to our class because SQL is a core aspect of databases. It would have to be robust to allow for flexibility in managing data and yet secure so that unauthorized access is prevented. Companies have to decide on which language of SQL to use for their databases. They have to consider security, flexibility, ease of use, and cost among other things. As systems get more complex, it will take an increasing amount of effort to make it secure. As our society increases the use of computers, and, therefore, databases, especially cloud computing, companies will have to invest more in to security. Any kind of breach like in the article would be completely unacceptable to companies like Amazon or Paypal. Although it may not be the company’s fault, they would still lose millions of dollars and the trust of many customers on top of the money lost. I think the consumer would have to start accepting that fraud or information stolen is going to be a constant threat.Albanesius, C. (2010, May 1). Inside the biggest online theft case. PCMag, Retrieved from http://www.pcmag.com/article2/0,2817,2363293,00.asp

Fortinet(TM) Strengthens Database and Application Security With Major Software Release for FortiDB(TM) Product Family {Comments Off on Fortinet(TM) Strengthens Database and Application Security With Major Software Release for FortiDB(TM) Product Family}

by Quoc L
Fortinet have release a major software update for it FortiDB program. The FortiDB program aim at mid to large size organization that need to protect it databases and assets. The update introduce some neat features such as analytics and reporting abilities. A few other improvement the new update included, real time connection blocking and enhance usability. However the majority of the update was to fix all the software loophole that hacker use to gain access to privacy company information. “Protecting sensitive database and application assets is among the most strategic security and compliance requirements organizations face today,”(Marketwire, 2012) read more...

The Importance of Database Modeling {2}

by Vincent S
As we have been learning in this class, it is important to create database models in order to ensure that only well-planned and structured databases are created.  Advantages of imploring this kind of logic include data consistencies and homogenualities that make other features such as relationship building possible.  One additional feature that arises from data modeling that you may or may not realize is database security.  An example of this can be seen in law enforcement and U.S. government intelligence agencies.  There have been recent pressures for government agencies to share data among different office sites in order for convenience and central access.  However, no matter how you approach it sharing data always exposes sensitive database information to possible hostile environments.  One technique that has been developed to combat this issue is data replication.  A single centralized server becomes the main source of updated information.  Whenever information from new accounts is created or when current information is updated, the changes are made in the designated server’s database.  Verification and security checks are performed on that server and an image of the updated information is made.  The image intentionally lacks formatting as it will later be shared among heterogeneous platforms.  It is then sent to a second server where the data image is copied.  From the second server, other servers from localized networks belonging to specific agency offices can then access the information. read more...

When should you use Microsoft SQL Server over Microsoft Access {2}

by Toan T
The article talks about the benefits on when one should choose to use Microsoft SQL Server over Microsoft Access. Microsoft Access is one of the few tools that many businesses use for their database needs. Its intuitive GUI and unique features have made it very easy for people to setup any database and have it running with very little time and efforts. Unfortunately, many large corporations tend to steer away from using Microsoft Access because Access does not have any high level security feature  which makes it very unreliable and hazardous when it come with dealing with sensitive data such as social security numbers, home addresses, etc. This is when SQL server is more preferred because it does exactly what Access can do whist providing many more useful features such as automatic incremental backups, secure data using Windows Active Directory Security System, databases cannot be easily duplicated and so forth. In addition, SQL Server can handle terrabytes worth of data where Access can only handle around 1 gigabyte. Even with the numerous limitations that Access has, it can still be used together with SQL Server One can simply using Access to build a user friendly front end for the database while having all the data be securely stored within SQL Server. read more...

Worries of Cloud Computing {4}

by Cole O’C
This CNN Money/Tech Fortune article discusses several issues currently present with cloud computing, including cloud outages, security issues, server issues, and general confusion. After Amazon’s cloud outages, which affected both small companies and corporate giants, this monstrously powerful technology has come under more scrutiny. The article argues that, even with outages, cloud computing is still a far safer and more efficient method for most companies. It states that the visibility of cloud outages due to so many companies being affected is a somewhat unpleasant advantage, as an internal IT service could fail without anyone noticing for quite some time. The next topic discussed is cloud security and server separation, mainly focusing on how security issues of one company may affect the others. It uses an example of how Dropbox, a file-syncing startup company, had a programming glitch which enabled users to access accounts without inputting the correct password. While this would be quite disastrous even without cloud computing, it becomes more of a concern when an unsecure server is physically connected to other virtual machines running on the cloud that would be otherwise safe. Lastly, the article mentions the confusing nature of cloud computing, and how the majority of people (stated as 78% according to NPD Group) do not actually understand the concept of cloud computing, while an almost equally-sized majority (76%) uses cloud-based services, such as Hulu and Gmail. read more...

Comodo SQL-Injected Again and Again {Comments Off on Comodo SQL-Injected Again and Again}

by Joe C
Summary:

A SQL injection exposed a lot of personal log in information and customer data for a reseller company called Comodo. The breach in security allowed the attackers to access employee log-in credentials. This Brazil-based partner reseller is the forth Comodo partner to be attacked this year. The resulting information gained by the hackers were posted to Pastebin, a text sharing site. To complete an SQL injection attack, SQL statements are inserted into entry fields such as comment or log in fields on a form. When the website tries to process this text, certain code can end the original intent of the entry and execute different functions, in this case, trying to return log in credentials to the attacker. The president (also CEO) of Comodo claimed that the systems were never compromised and hackers had no access to their databases. What they did get from the customer information were names, addresses, emails, and phone numbers. Some private files were also leaked which included user IDs and passwords. A Comodo reseller in Italy was also attacked back in March. Many organizations are currently trying to figure out solutions to certification. read more...

Database Security and McAfee {1}

by Daniel L
The number of databases getting hacked or compromised keeps going up, but the question is, are there any counter-measures being used against these database breaches?  The answer to this question lies in the approach to database security McAfee has taken, providing businesses with protective countermeasures capable of thwarting the influx of potentially harmful intrusions.  McAfee offers businesses protection of data in every state, whether it is at rest or in use, through the combination of network and server security, along with encryption and file permission controls.  It is understood that safeguarding databases is one of the most difficult things to do, and this is where McAfee is trying to make a difference through their offerings.  The security solutions that McAfee offers include database discovery and assessment, protection of data, database management tools, and activity monitors.  First and foremost, information about all the databases belonging to an organization are collected, which ultimately determines if security patches have been properly deployed and installed, scanning for any possible vulnerabilities along the way.  Furthermore, McAfee ensures that critical data will be protected through the use of a firewall along with access restrictions of the users or applications with insufficient permissions.  Real time monitoring alerts are also used to warn database administrators of a possible intrusion attempt, giving them the ability to terminate sessions accordingly. read more...

Video Games and Hacking?? {2}

by Taylor G
Summary:

So the article I read about talks about bridging the gap between video games and computer security.  They talk about how they can use video games to benefit the educational aspect of teaching.  For example in a security class a professor can’t upload a virus to the network and expect the students to be able to stop it without already compromising the security of the entire school and/or implying illegal actions.  Video games let the user react to a series of events and recognize the results within a certain time frame.  For example they created this game where the user, a fish, searches for food, but they must face sharks.  When the user slides over a worm it shows a website, and the user must determine if the website is safe or it is a phishing website.  This informs the user how to determine whether a website is valid or not.  There are also more advanced games for those who have a better knowledge of security and hacking.  One game has missions like being able to hack a bank, hank into a jail, crash the stock market, and you have to get out before you get caught.  The game has a plot that makes you feel like you have to get out because you have the world’s deadliest virus. read more...

The Issue of Security {Comments Off on The Issue of Security}

by Monica G
Summary:

There has to be something said about security, every day we enter more and more companies investing more money into it. And this is not a bad thing. In this publishing, the writer explores different ways for companies to assess risk factors within the IT infrastructure and manage these threats. The author proposes for companies to analyze risk by using Bayesian networks which actually help the administrator of the information to quantify the chances of network breaches at various levels of the company. This way the administrator or administrators can come up with a solid management plan, just in case. And it allows the owner to make reasonable decisions even in a resource scarce environment. read more...